#!/bin/bash
EXTIF="eth0"
INIF=""
INNET=""
export EXTIF INIF INNET
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,\
send_redirects}; do
echo "0" > $i
done
#清除各個 chain 的規則、並且設定初始值
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#新增 chain work 和 pig
#work 為欲放行之IP
#pig 為欲阻擋的IP
iptables -N work
iptables -N pig
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#進來的封包先通過 chain work 和 pig
iptables -A INPUT -j work
iptables -A INPUT -j pig
#新增 chain deny
#進來的封包一律記錄到log中、並且丟棄
iptables -N deny
iptables -A deny -j LOG --log-prefix "ipt pig : " --log-level 6
iptables -A deny -j DROP
sh /root/ipt/ipt.work
sh /root/ipt/ipt.deny
#HTTP並發數超過30的連線套用 chain deny 的規則
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 30 -j deny
#放行 80 和 443 port
iptables -A INPUT -p TCP --dport 80 -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -j ACCEPT
● ipt.work
iptables -A work -s x.x.x.x/32 -j ACCEPT #要放行的 IP● ipt.deny
iptables -A pig -s x.x.x.x/32 -j DROP #要拒絕的 IP● log 設定
centos 6.3 後版本
/etc/rsyslog.d/ipt.conf
:msg,contains,"ipt pig : " /var/log/ipt.log
& ~service rsyslog restart● centos 6.3之前版本
/etc/syslog.conf
kern.=6 /var/log/ipt.logservice syslog restart
0 意見:
張貼留言